The technical field of the present invention relates to a packet forwarding device with high-speed filtering means.
Distributed Denial of Service (DDoS) attacks which transmit invalid packets to cause waste of the bandwidth resources of a network and overloading of a public server are becoming a serious problem. Since an attacker often transmits a packet whose source address is spoofed to prevent traceback to the source, detection and discarding of such a spoofed packet by a packet forwarding device is effective in preventing a Distributed Denial of Service attack.
As a technique for detecting and discarding a spoofed packet, there is available filtering in a packet forwarding device. As an example of filtering, there is known filtering in loose mode described in IETF RFC 2827: “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.” IETF RFC 2827 describes that packets passing through a packet forwarding device are limited to ones with a known advertised prefix. A prefix here refers to the high-order bits of an address and is information indicating a network.
Other examples of filtering include filtering in strict mode described in IETF RFC 1812: “Requirements for IP Version 4 Routers.” The document describes that if an interface of a packet forwarding device from which a packet is input (to be referred to as an input interface) is different from an interface to which data is to be output in order for the data to reach the source address of the packet, the packet needs to be discarded.
In many cases, a spoofed packet contains an unknown unadvertised prefix or an interface to which data is to be output in order for the data to reach the source address is different from the input interface. Accordingly, execution of filtering described above by a packet forwarding device makes it possible to greatly reduce the number of spoofed packets.